A lot of large enterprise take an approach my colleagues have referred to as 'rubber stamp security', that checks boxes in a compliance report while still remaining largely ineffective. For example, these companies buy tools and install them, but then never configure them properly.
From what I've seen of Verizon, they are more serious about security and beyond requiring an effective toolset, they take the approach of hiring new people who already know the tools well or give effective training to their existing and competent people as part of the onboarding process. This sounds like a no-brainer, but a lot of companies either don't do this or do it very poorly.
Beyond any kind of material impact of the breach on Yahoo's business, it would require a _lot_ of work from their security teams to absorb Yahoo in a way that raises them to Verizon's standards. An acquisition of this size is rarely very easy, but having to completely overhaul the acquired company's entire security posture just adds to this effort. Verizon's security team has to consider Yahoo's infrastructure with very little trust at this point. I wouldn't much care for the prospect of having a flaming bag of poo deposited on my porch, either.
[1] https://www.wired.com/2014/10/verizons-perma-cookie/amp/
You can be VERY good at systems security, while simultaneously wanting to violate your customers privacy....
Still, I think the point that there's more for Verizon to worry about from Yahoo than the direct impact of the exposed customer data is a valid one. Failure to discover (if we believe them), or at least a failure to disclose, a breach for close to two years, does not speak well for them. Maybe this breach was only possible during some temporary time period two years ago, but it's also possible that whatever allowed the breach was open for a long time, allowing further opportunity to exploit other services on their network. The claim that it was possibly a 'state actor' either means they don't know and are covering their incompetence, or it was a fairly advanced threat that could potentially still be in place or even have expanded its footprint since 2014.
https://medium.com/the-coinbase-blog/on-phone-numbers-and-id...
They do periodically put out some interesting reading. If you want to look at it, their annual Data Breach Investigations Report are worth checking out:
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
(prior year reports don't require registration and are still fairly applicable)
2012: 802.5M 2013: 579.4M 2014: 218.7M 2015: -127.5M
Wait til 2016 numbers come in.
Revenue flat at $5 billion.
Consider Uber revenue, and operating income ... the numbers are horrible, but the overall outlook is obviously different.
2013: 160m 2014: 440m 2015: 1.5 billion
Yahoo's revenue
2012 - 2015: 5 billion flat, with dip in the middle.
Uber experienced explosive growth in user base... can't say the same about Yahoo.
Apple - orange comparison.
> Investors are conflicted: on the one hand, Yahoo had a data breach that will cost them trust, but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.
“From a legal perspective,” he said, “the question . . . ‘is it a state-sponsored attack?’ isn't really relevant in terms of what we're looking at. The question is whether this [had] a material or an adverse effect on the asset we are buying.”
One can see why he didn't want to call "bullshit" publicly, and the news media is required to be dumb, but does anyone with a clue really believe these oh-so-convenient "state actor" attributions? We're supposed to imagine that Russia: 1) wanted what Yahoo had, and 2) wanted to get caught at it. What's the motivation? Did Marissa cut in front of some favored oligarch at the ski lift in Davos or something?
This is somewhat different from Yahoo users' perspective: in their case, as well, the point is not if the breach was state-sponsored, the point is: did it take mass destruction weapons and hundreds of spies coordinated for months, or did it take five minutes and a hairpin?
WikiLeaks drops shit on Clinton, blame Russia.
Mayer does a terrible job, blame Russia.
Who wants to bet that next we'll hear Elizabeth Holmes blaming Russia for her silly Edison machines not working properly.
